Skip to main content

CAI Content Credentials CVE-2026-47905

| EUVDEUVD-2026-35845 MEDIUM
Uncontrolled Resource Consumption (CWE-400)
2026-06-09 adobe GHSA-jp5j-q2jw-fhpf
6.2
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
6.2 MEDIUM
AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

1
Analysis Generated
Jun 09, 2026 - 22:23 vuln.today

DescriptionNVD

CAI Content Credentials versions c2pa-web@0.7.1, c2pa-v0.80.1 and earlier are affected by an Uncontrolled Resource Consumption vulnerability. An attacker could exploit this vulnerability to exhaust system resources, resulting in an application denial-of-service condition. Exploitation of this issue does not require user interaction.

AnalysisAI

Uncontrolled resource consumption in Adobe's CAI Content Credentials SDK (c2pa-web@0.7.1 and c2pa-v0.80.1 and earlier) allows a local, unprivileged attacker to exhaust system resources and crash the hosting application. The CVSS vector confirms local access is required, limiting exposure primarily to environments where untrusted users share process space with SDK-consuming applications, such as multi-tenant systems or services that process attacker-supplied C2PA credential data from disk or local input. No public exploit has been identified at time of analysis, and this vulnerability is not listed in the CISA KEV catalog.

Technical ContextAI

The affected library implements Adobe's C2PA (Coalition for Content Provenance and Authenticity) standard for embedding and verifying Content Credentials metadata into digital media. Two package variants are affected: the web-oriented binding (c2pa-web) and the core library (c2pa-v), both confirmed via CPE cpe:2.3:a:adobe:cai_content_credentials:*:*:*:*:*:*:*:*. CWE-400 (Uncontrolled Resource Consumption) indicates the library fails to impose adequate limits on memory allocation, CPU cycles, or processing iterations when handling certain inputs - a common failure mode in parsers and deserializers that process externally-supplied structured data formats such as the C2PA manifest embedded in media files. Without rate limiting or size bounds, a crafted input can cause the library to spin indefinitely or allocate unbounded memory, exhausting host system resources.

RemediationAI

Consult Adobe Security Bulletin APSB26-61 (https://helpx.adobe.com/security/products/content-authenticity-sdk/apsb26-61.html) for the vendor-confirmed patched release versions, as the exact fixed version numbers were not enumerated in the available advisory data and should not be inferred. Upgrade c2pa-web and c2pa-v packages to the versions specified in APSB26-61 as soon as possible. As a compensating control prior to patching, restrict which users or processes can supply input to SDK-consuming components - for example, enforce allowlist-based file validation upstream of any C2PA parsing logic, and consider wrapping SDK calls with process-level resource limits (e.g., ulimit on Linux, Job Objects on Windows) to cap memory and CPU consumption per invocation. Note that resource limit wrappers may cause application instability under legitimate heavy load, so tune thresholds carefully against normal operational profiles.

CVE-2026-34712 HIGH
7.5 Jun 09

Denial-of-service in Adobe's CAI Content Credentials SDK (c2pa-web 0.7.1 and c2pa 0.80.1 and earlier) allows remote unau

CVE-2026-34711 HIGH
7.5 Jun 09

Denial-of-service in Adobe CAI Content Credentials (c2pa-web 0.7.1 and c2pa 0.80.1 and earlier) allows remote unauthenti

CVE-2026-34713 HIGH
7.5 Jun 09

Denial-of-service in Adobe CAI Content Credentials (c2pa-web 0.7.1 and c2pa 0.80.1 and earlier) allows remote unauthenti

CVE-2026-34665 HIGH
7.5 May 12

CAI Content Credentials versions 0.78.2, 0.7.0 and earlier are affected by an Uncontrolled Resource Consumption vulnerab

CVE-2026-47903 MEDIUM
6.2 Jun 09

Improper input validation in Adobe's CAI Content Credentials SDK (c2pa-web@0.7.1 and c2pa-v0.80.1 and earlier) permits a

CVE-2026-47904 MEDIUM
6.2 Jun 09

Uncontrolled resource consumption in Adobe CAI Content Credentials (c2pa-web@0.7.1 and c2pa-v0.80.1 and earlier) allows

CVE-2026-47902 MEDIUM
6.2 Jun 09

Uncontrolled resource consumption in Adobe CAI Content Credentials SDK (c2pa-web@0.7.1 and c2pa-v0.80.1 and earlier) all

CVE-2026-34669 MEDIUM
6.2 May 12

CAI Content Credentials versions 0.78.2, 0.7.0 and earlier are affected by an Improper Input Validation vulnerability th

CVE-2026-34688 MEDIUM
6.2 May 12

CAI Content Credentials versions 0.78.2, 0.7.0 and earlier are affected by an Improper Input Validation vulnerability th

CVE-2026-34668 MEDIUM
6.2 May 12

CAI Content Credentials versions 0.78.2, 0.7.0 and earlier are affected by an Improper Input Validation vulnerability th

CVE-2026-34670 MEDIUM
6.2 May 12

CAI Content Credentials versions 0.78.2, 0.7.0 and earlier are affected by an Improper Input Validation vulnerability th

CVE-2026-34679 MEDIUM
6.2 May 12

CAI Content Credentials versions 0.78.2, 0.7.0 and earlier are affected by an Improper Input Validation vulnerability th

Share

CVE-2026-47905 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy